CISO: Getting Serious About Security

The continual growth of the Internet has made it easier for hackers to spread computer viruses, increased the threat of identity theft and created the possibility of a virtual terrorist attack. With these intangible security risks comes the need for an expert in information assurance: the chief information security officer.

“The fact that technology and the Internet [have] become so pervasive has created incredible opportunity for business, but it’s also created a whole new set of risks,” said Dan Lohrmann, the first CISO for the state of Michigan, who explained that the advantage of the Internet is it makes the world function “7 by 24 by 365.”

“But guess what? The bad guys can work 7 by 24 by 365,” he said. “Why didn’t you see a chief [information] security officer 20 years ago? [Because back then] you couldn’t sit in Siberia, drinking vodka next to a snowdrift and hack into some business in Michigan. The Internet’s allowed that or at least the potential for that.”

The CISO, which was a rarity five years ago, has become more pervasive in corporations as well as state governments. For Lohrmann, who has more than 20 years of technology experience, changing the culture of the government’s employees was a big part of this new role.

“When I first got to state government, it was wide open,” Lohrmann said. “The biggest security problem was people were walking in off the streets, walking into cubes and stealing purses and leaving. It was a lax security environment here, but after 9/11, a lot of that did change [and] it [changed] the whole approach to cybersecurity in Michigan. For me, [it] made me realize that we [needed] to take security seriously. We needed an office of security, we needed a director of security and we needed a chief [information] security officer who [would] carry the baton and lead this effort.”

Pathway to SuccessThe road to CISO was not short, but Lohrmann’s experience gave him a greater depth of understanding and helped cultivate his managerial capabilities. He worked in many positions in several different areas before he was offered the C-suite position. Lohrmann earned both a bachelor’s degree and a master’s degree in computer science.

His first foray into security was with the National Security Agency as a computer analyst in networking. Then he worked as a senior network engineer for Loral Aerospace in northern England and later became the technical director for ManTech International.

Personal reasons led Lohrmann to Michigan. He became the chief information officer for the state’s Department of Management and Budget and eventually the senior technology executive for e-Michigan, the state agency responsible for digital government.

Because of the events of Sept. 11 and the rise of e-government, Michigan realized the need to better protect its information. As a result, Lohrmann became CISO in 2002. Now he is on the senior executive staff, and his job is split between emergency management, daily operations and projects, and acting as a liaison between different agencies and groups.Getting Down to BusinessWhen you think of a blackout, tornado or flood, you don’t really think of the CISO, but Lohrmann said that’s one-third of his job.

“There’s virtually nothing you can do in government that doesn’t have a technology component,” he said, explaining that these components become even more vital in the case of an emergency, when organizations in government suddenly need to do their jobs faster and more effectively. “So what are they going to need? They’re going to need their technology.”

When emergencies do happen, Lohrmann’s typical working hours become twice as long, and his job becomes very hands-on. In 2003, when Michigan suffered a blackout, Lohrmann was front and center and spent four 18-hour days at the state’s emergency coordination center. One of the many issues he dealt with was food poisoning.

“It was the middle of August, it was hot [and] food was spoiling,” Lohrmann explained.

“People were going out to eat, restaurants were serving spoiled food [and] people were getting sick. The food inspectors were out there trying to do their job, but guess what? Their computers weren’t working because there was no power. Those are the kinds of issues where we’re the infrastructure to support all of the functions of state government in those kinds of emergencies.”

Strategizing for these emergencies is a big part of Lohrmann’s job. He works with the U.S. Department of Homeland Security, the Multi-State Information Sharing and Analysis Center and the United States Computer Emergency Readiness Team to better protect Michigan’s information.

Another part of the CISO’s role is overseeing the security of information day in and day out, including processes such as securing laptops and ensuring encryption is working and relationships with antivirus vendors are in place. Lohrmann also manages the writing of government policies and security projects.

The last third of Lohrmann’s role is acting as a liaison, which means getting out and talking to people. He meets with employees from Michigan’s Department of Information Technology, his colleagues, his team of 30 employees and agencies of state government, from police to the Department of Management and Budget.

“Culture is a huge part of this,” he said. “Our number one task is changing the culture of state government and helping people become security aware.”

As is the case with many high-level positions, Lohrmann is doing less of the nitty-gritty work and more of the management. About 10 to 15 percent is technical work, while the other 85 to 90 percent is overseeing his staff, communicating with other departments and going to meetings. Because of his job breakdown, Lohrmann has to employ good managerial skills, work as a team player and communicate well, but he also needs to have a thorough understanding of technology to draw upon when needed.

When asked if he missed being knee-deep in computer parts, he said “yes” and “no.”“I do miss it sometimes, but I’m providing better value to the state, to the taxpayers, to this organization,” Lohrmann said. “I love making security better for this state [in] innovative, new ways.”The Future of CISOsWhen Lohrmann began his career in security, there wasn’t an information assurance track. Now there are programs all around the country, and those studying IT can be trained to become security professionals.

Lohrmann said there is and always will be a huge demand for information security in banking and financial institutions, but the need for it in government is just as big.

“We hold a lot of information,” he said. “People don’t have an option when dealing with government. We become a sole source, if you will, for citizens, so we have a lot of their personal information, whether it is tax information or driver’s licenses. But I do think all large organizations will have a big need for cybersecurity.”

Not Just GovernmentBecause of patient medical records, hospitals had information security officers long before most corporations because of a regulation under the Health Insurance Portability and Accountability Act (HIPAA). As a result, in 2000, Chuck Klawans became the first information security officer for the Children’s Hospital and Health System in Milwaukee. Although his formal title is ISO, his role is that of a typical CISO.

“[The] information security officer has the primary responsibility for coordinating the confidentiality, integrity and availability of information resources,” Klawans said. “How it is defined in any particular organization varies by organization. In my role here, I [am] responsible for doing the back-end work — the analysis, investigation and auditing — to make sure that our security controls are appropriate and doing what they’re supposed to [do]. I also have staff that has the major responsibility of maintaining user accounts for the users.”

Getting this type of information assurance means setting policy to ensure security. “Any organization’s security policy forms the baseline for the organization’s security posture, as the policy lays out what is and isn’t permissible,” Klawans said. “Security policies set out the expectations against which compliance can be measured.”

As ISOs and CISOs become more prevalent, certifications become more of a necessity. Klawans is a Certified Information Systems Auditor (CISA), a Certified Information Security Manager (CISM) and a Certified Information Systems Security Professional (CISSP).

“Most often they [companies] seem to be looking for a CISSP,” he said. “Often they will be open to others such as the CISA or CISM, but it’s become important in this position to be certified.”

The role of CISO or ISO is vital today, but will become even more so in the future, as systems and data storage proliferate and identity theft and privacy invasion rise.

“There is such a reliance on information systems,” Klawans said. “We are trying to reduce paper as much as possible. Well, you start putting medical records onto electronic media, and if there’s no paper record, what happens when the systems aren’t functioning? That’s where the whole availability notion comes in, as well as keeping [that information] confidential and maintaining the integrity of [it]. We’re trying to address that, and I’m sure it’s something that not just health care [but] all organizations are facing.”